Certificate Expiration FAQs

Expert

Anaplan is issuing a new Anaplan certificate on December 8, 2018. You will need to take action based on the integration client and authentication method you are using: 

Integration Client
Authentication 
Action Required?
Anaplan Connect 1.3.3.5 or lower Anaplan Certificate Yes
Anaplan Connect 1.4 CA Certificate No
Informatica Anaplan Connector Anaplan Certificate Yes
Informatica Anaplan Connector CA Certificate No
Mulesoft 2.x CA Certificate No
SnapLogic 1.x Anaplan Certificate Yes
Boomi x.x Basic Authentication No
Tableau 1.0 Anaplan Certificate  Yes
Any client Basic Authentication No

If your integration client and authentication method has a "Yes" in the "Action Required" column, then you must take action on December 8 to prevent disruption to your integrations.

Note that web login, web SSO, and basic authentication to integrations are not impacted by this event.

This FAQ covers the following topics:

Anaplan-Issued New Certificate on December 8

What is happening?

Anaplan is issuing a new certificate used for integrations on December 8, 2018.

This new certificate is intended to be used for existing clients on the legacy certificate authentication (such as Anaplan Connect 1.3.3.5). This certificate will not work on clients using the CA certificates (such as Anaplan Connect 1.4). Customers will now have two options to continue using certificate authentication with integrations:

  • Continue using your existing client (e.g., Anaplan Connect 1.3.3.5) by downloading a new certificate on December 8, 2018 after the maintenance window.
  • Use a client that supports CA certificates (e.g., Anaplan Connect 1.4) by implementing this before December 8, 2018.

Although customers will now have two options to choose from, Anaplan recommends that customers update their integration clients to a version that supports Certificate Authentication 2.0, which uses a CA certificate.

Why is this change happening?

The current Anaplan certificate used by some customers for their integrations is set to expire in December. Customers who are impacted have been updating their clients to use CA certificates. However, we have received feedback that customers need more time to complete these updates and wanted to continue to use their existing clients. In order to support the existing clients, Anaplan will be issuing a new certificate on December 8, 2018 which can be used for certificate authentication. The benefit of this option is that customers can continue to use their existing clients and will have more time to update their clients to use CA certificates after December 2018.

How can you check if this impacts you and what steps do you need to take?

See the Update to Integration Certificate Expiration blog post for information on impact and any steps to take.

Is it possible for you to edit the expiration date on your existing certificates?

No, the expiration date for a certificate cannot be changed. However, you can download a new Anaplan-issued certificate with a 1-year expiration date following the maintenance window on December 8, 2018, and use that with your existing integration client.

How do you apply the certificate issued on December 8?

Assuming that you are using a supported integration client, complete the following steps on December 8:

  1. Anaplan has a planned maintenance window on December 8, 2018. After this window is complete, you can obtain a new certificate.
  2. Log in to Anaplan and go to the My Account page
  3. Click on the Certificates tab, then click the Create new Certificate button. This procedure is documented in Anapedia.
  4. Once you have the certificate, apply it to your integration client. Instructions for applying them are different for every client

Certificate Authority (CA) Certificates

Why this change to CA certificates?

As the Anaplan platform evolves, we are always looking to provide our customers with more features and ways to integrate with Anaplan. The new Anaplan APIs and integration connectors leverage Certificate Authority (CA) -issued certificates. CA authentication offers a certificate hierarchy known as the "chain of trust" that enables you to verify the validity of a certificate issuer. This aligns with industry standards and provides a higher level of security for Anaplan customers.

  • Customers can leverage their own certificates from a trusted Certificate Authority that ends with a supported Root CA Certificate.
  • Customers can now specify the expiration dates for their certificates.
  • Customers have the ability to disable the cert themselves through a new interface on Administration.
  • These certificates can be obtained through your company's intermediary CA (typically issued by IT) or by purchasing it from a trusted Certificate Authority.
  • This method of authentication also supports Anaplan's new authentication framework which provides for a more secure method for sending credentials on API calls

Which currently available clients support CA certificates?

  • Anaplan Connect 1.4
  • Informatica Anaplan Connector
  • Mulesoft 2.0.1

How do Customers use the CA (Certificate Authentication 2.0) option?

The following links will guide you through the procurement and registration of CA-issued certificates in Anaplan:

  • How to procure certificates
  • How to manage them in Anaplan.
  • Please note that you can use certificates issued by an Intermediary CA with any of these supported Root CAsNote that certificates from an Intermediary CA are typically managed by staff in your organization. If you are unsure about whether your intermediary certificate uses a supported Root CA, contact your internal technical staff.

What are the benefits of moving to CA Certificates?

CA certificates align with industry standards and provide a higher level of security for Anaplan customers. For more information, see Administration: Security - Certificates in Anapedia.

Is there a cost to your company for using CA Certificates?

You can obtain a CA certificate from your internal intermediary CA or purchase certificates from a Certificate Authority. If you have an intermediate CA, you can issue the certificate yourself. Your IT team can advise on your internal processes for obtaining certificates based on an intermediate CA.

Integrations and APIs

What integration options and APIs are available to you?

The current Anaplan Production REST API version is v1.3. v2.0 of the Integration API has recently been released. Authentication mechanisms with both API versions are:

  1. v1.3 API:
    • Basic Authentication
    • Authentication with Anaplan Certificates
  2. v2.0 API:
    • Basic Authentication
    • CA Certificate based authentication

NOTE: Both API versions support Basic Authentication.

Anaplan Integration clients use one or both APIs. For more information on available integrations, see the Update to Integration Certificate Expiration blog post.

What if you are using a custom integration client?

  • If you have developed your own integration client to Anaplan, or are using a custom integration client developed by a partner or system integrator, the impact depends on what API version was used to develop your connector. If you are using basic authentication to authenticate to Anaplan via integrations, you're not impacted. 
  • If your custom integration client was developed using API v1.3 and you authenticate with Anaplan-issued certificates, you can download the new certificate on December 8, 2018, if you wish to continue using this integration client with certificate authentication. If you want to use a CA certificate, you need to update your custom client to use API v2.0.
  • If your custom integration client was developed using API 2.0 and you authenticate with CA certificates, you'll be unable to use the new Anaplan-issued certificate on December 8, 2018. You are already using a CA-issued certificate as API 2.0 only supports certificates issued by a CA.

More information about the v2.0 Integration API can be found here: https://anaplanbulkapi20.docs.apiary.io

What should you do if you don't want to upgrade to latest API clients or switch to Basic Auth?

If you want to continue with existing Integration clients or custom integrations, you must switch over to Basic Auth for authentication or download a new certificate on December 8, 2018. With Basic Auth, you will use a user ID and password in your integrations instead of Anaplan Certificates. 

You can continue to use your existing integrations with certificate authentication if you download a new Anaplan certificate on December 8, 2018. However, we are encouraging customers to migrate to a new client that supports CA certificates as that is our intended certificate authentication method.

Anaplan Connect

What if you are using Anaplan Connect (AC) for Integrations?

If you are using Basic Auth (user ID and password) in AC 1.3.x.x. scripts, you can continue to do so. You can upgrade to AC 1.4, at your convenience.

If you are using Anaplan certificates for authentication, you can download a new certificate on December 8, 2018. You can keep both AC 1.3.x.x and AC 1.4 installed at the same time, and migrate your integration scripts one-by-one to AC 1.4.

AC 1.4 supports authentication with CA Certificates and Basic Auth. Existing Anaplan Certificates (downloaded from Anaplan UI) are not compatible with AC 1.4. Please review this blog post for steps to port AC 1.3.x.x Integration scripts to AC 1.4: https://community.anaplan.com/t5/Knowledge-Base/Migrating-from-Anaplan-Connect-1-3-x-x-to-Anaplan-Co...

You can take the Anaplan Connect online training from Anaplan Academy: https://community.anaplan.com/t5/Academy-Classes/Data-Related-Training-Classes/ta-p/19566

How do you update Anaplan certificates in Anaplan Connect 1.3.x.x Integrations?

If you are using Anaplan Connect 1.3.x.x. Integrations with Anaplan certificates, you can update the certificates by editing your Integration script files.

  1. Open your Anaplan Connect integration script files (Windows .bat or Unix .sh scripts) in a text editor.
  2. Look for -certificate option in the script. The option is followed by file path to your current Anaplan Certificate.
  3. Download updated Anaplan Certificate from the Certificate tab in your Anaplan My Account page
  4. Copy it to the file destination on the machine where Anaplan Connect 1.3.x.x is installed. You can place it in the same folder as your current Anaplan Certificate.
  5. Edit your integration script and replace file path to old Certificate with file path to new Certificate. 

Example

In this example, the previous certificate is: certificate-123456789.cer.  The new certificate is: certificate-new4567890.cer. The destination folder where the certificates are placed is: C:\anaplan-connect-1-3-3-5

  1. Open your Anaplan Connect integration script in a text editor.
  2. set Operation - certificate “C:\anaplan-connect-1-3-3-5\certificate-123456789.cer”
  3. Log into Anaplan, click on My Account, then navigate to the Certificate tab and download the updated Anaplan Certificate (certificate-new4567890.cer).
  4. Copy certificate-new4567890.cer to C:\anaplan-connect-1-3-3-5\.
  5. In your integration script, change the line from step 2 to: C:\anaplan-connect-1-3-3-5\certificate-new4567890.cer

As an alternative, you can also rename your new certificate to use the same name as your old certificate and avoid the need to update your Anaplan Connect 1.3.x.x. scripts.

Example
In this example, the old certificate is certificate-123456789.cer and the new certificate is certificate-new4567890.cer.

  1. Log into Anaplan, click on My Account, then navigate to the Certificate tab and download the updated Anaplan Certificate (certificate-new4567890.cer).
  2. Go to the folder on your machine where old certificates is located.
  3. Rename your old certificate certificate-123456789.cer to backup-certificate-123456789.cer
  4. Copy certificate-new4567890.cer to C:\anaplan-connect-1-3-3-5\, and rename it to certificate-123456789.cer
  5. Run your integration scripts. You don’t need to edit your scripts.

You can find the Anaplan Connect 1.3.3.5 user guide here.

How do you create a JAVA keystore for use with Anaplan Connect 1.4?

You can refer to following sources for information on creating JAVA keystore for use with Anaplan Connect v1.4:

  1. Refer to section "Certificate Authentication using Keystore" in https://s3.amazonaws.com/anaplanenablement/Community/Anapedia/Anaplan_Connect.pdf 
  2. Refer to "Certificate Authentication Process" video recording at https://community.anaplan.com/t5/Videos/bg-p/Videos

Additionally, you can refer to the full Anaplan Connect online training at Anaplan Academy: https://community.anaplan.com/t5/Academy-Classes/Data-Related-Training-Classes/ta-p/19566

Single Sign-On (SSO)

Does this impact Anaplan Single Sign-on (SSO)?

No. There is no impact on Anaplan Single Sign-on (SSO). The impact is only on the Anaplan data Integration API and Integration connector authentication.

What if you’re using SSO and need to integrate with Anaplan?

Accessing Anaplan via a browser with standard login or with SSO is not impacted by this change. The certificate used in SSO is unrelated to the certificates used for integration certificate authentication.

Customers who are configured to use SSO have two options to authenticate their integrations with Anaplan:

  1. If the actions you want Anaplan Connect to run are for models in a workspace using single sign-on, you can use certificate authentication. We recommend using the new certificate authentication 2.0 if possible which supports CA Authentication.
  2. If you are configured for Single Sign-on (SSO), but have a requirement for a user to bypass it and use basic authentication (username and password) instead, then the user must be configured as an Exception User. An Exception User can authenticate by username and password or by certificate, rather than through SAML.  For more information, see Assign Exception Users in Anapedia.

More Questions?

Who should you contact in case of more questions?

Please post your questions in the Forum. Alternatively, you can contact your Anaplan Customer Success (CS) Business Partner.